Created this dashboard to see when or if an application was deployed successfully. Close to splunkninja’s query, this will also show if the host in question also restarted to apply the new app.
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 |
<form> <label>Deployed Applications</label> <fieldset submitButton="false"> <input type="checkbox" token="loglevelpicker" searchWhenChanged="true"> <label>Log Level</label> <choice value="INFO">INFO</choice> <choice value="WARN*">WARNING</choice> <choice value="ERROR">ERROR</choice> <default>INFO,WARN*,ERROR</default> <valuePrefix>log_level=</valuePrefix> <delimiter> OR </delimiter> </input> <input type="time" token="field1"> <label></label> <default> <earliest>-24h@h</earliest> <latest>now</latest> </default> </input> <input type="multiselect" token="hostpicker"> <label>Host</label> <choice value="*">All</choice> <default>*</default> <valuePrefix>host=</valuePrefix> <delimiter> OR </delimiter> <fieldForLabel>host</fieldForLabel> <fieldForValue>host</fieldForValue> <search> <query>index=_internal sourcetype=splunkd component=DeployedApplication | stats count by host</query> <earliest>-24h@h</earliest> <latest>now</latest> </search> </input> <input type="multiselect" token="apppicker" searchWhenChanged="true"> <label>Application</label> <choice value="*">All</choice> <valuePrefix>*</valuePrefix> <valueSuffix>*</valueSuffix> <delimiter> OR </delimiter> <fieldForLabel>applicationx</fieldForLabel> <fieldForValue>applicationx</fieldForValue> <search> <query>index=_internal sourcetype=splunkd component=DeployedApplication | rex field=file "var(\/|\\\\)run(\/|\\\\)\w+(\/|\\\\)(?<app2>\w+)-" | rex field=message "(etc|run)(\/|\\\\)(apps|\w+)(\/|\\\\)(?<app3>\w+)-\d+\.bundle" | rex field=message "etc(\/|\\\\)apps(\/|\\\\)(?<app5>[^\/|\\\\|']+)" | eval applicationx=coalesce(app,app2,app3,app5,application) | stats count by applicationx | fields - count</query> <earliest>-7d@h</earliest> <latest>now</latest> </search> </input> </fieldset> <row> <panel> <table> <search> <query>index=_internal sourcetype=splunkd component=DeployedApplication $loglevelpicker$ $hostpicker$ $apppicker$ | table _time host app log_level event_message | sort - _time</query> <earliest>$field1.earliest$</earliest> <latest>$field1.latest$</latest> <sampleRatio>1</sampleRatio> </search> <option name="count">50</option> <option name="dataOverlayMode">none</option> <option name="drilldown">none</option> <option name="percentagesRow">false</option> <option name="refresh.display">progressbar</option> <option name="rowNumbers">false</option> <option name="totalsRow">false</option> <option name="wrap">true</option> </table> </panel> </row> <row> <panel> <title>Last restart time</title> <event> <search> <query>index=_internal sourcetype=splunkd log_level=INFO $hostpicker$ component=loader event_message="Splunkd starting*"</query> <earliest>$field1.earliest$</earliest> <latest>$field1.latest$</latest> <sampleRatio>1</sampleRatio> </search> <option name="count">50</option> <option name="list.drilldown">none</option> <option name="list.wrap">1</option> <option name="maxLines">0</option> <option name="raw.drilldown">full</option> <option name="refresh.display">progressbar</option> <option name="rowNumbers">0</option> <option name="table.drilldown">all</option> <option name="table.sortDirection">asc</option> <option name="table.wrap">1</option> <option name="type">list</option> </event> </panel> </row> </form> |
